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What  is  it? 


•  Sun-Tzu  is  a  concept  for  an  agent  based  situational  awareness  (SA)  data  base 

tool  intended  to  find  and  highlight  inconsistencies  in  the  battle  SA 
picture 

•  The  goal  is  to  find  inconsistencies  that  might  cue  the  existence  of  a  deception 

story 

•  It  is  bottom-up,  not  top-down 

•  Sources  of  inconsistency  other  than  deception  might  be  tactically  much  more 

valuable : 

>  incomplete  detection — not  sensing  things  that  are  there 

>  mistaken  detection  or  interpretation — wrong  identification  of  sensed 

element 
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>  false  detection — seeing  what  isn’t  there 

>  mistaken  interpretation — wrong  picture  of  reality 


Assumptions 


•  There  is  a  lot  of  information  available — too  sparse  and  you  are  doomed  anyway 

(Imperial  Japan  after  1941) 

•  The  information  is  reasonably  correct — too  wrong  and  you  are  doomed  anyway 

(Nazis  after  -1940) 

•  Basic  premise  for  countering — or  implementing — deception  with  templates  is  that 

no  deception  story  can  be  complete  if  examined  closely  enough 

•  Enemy  deceptions  must  be  included  in  set  of  templates 

•  Deception  may  be  local  or  global — due  to  small  unit  commander  initiative  or 

centrally  planned  and  executed — these  will  differ  in  techniques, 
resources 

•  Watch  out  for  too  good  to  be  true 

•  This  is  not  RAID — more  on  that  later 


8/12/2005 


Applications 


•  This  analysis  cues  incongruities  or  anomalies  in  the  Situation  Awareness 

data  base — 

•  One  kind  of  incongruity  or  anomaly  may  underlie  an  enemy  deception 

effort 

•  Others  may  be  due  to 

>  mis-identifications, 

>  non-detections, 

>  false  detections, 

>  mis-interpretations 

•  At  the  tactical  level  these  are  far  more  likely,  and  may  be  far  more 

valuable  than  warning  of  possible  deception  per  se 
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Basic  thesis 


“The  possibility  of  detecting  deception...  is  inherent  in  the  effort  to  deceive. 
Every  deception  operation  necessarily  leaves  at  least  two  clues: 

incongruities  about  what  is  hidden;  and 
incongruities  about  what  is  displayed  in  (its)  stead. 

The  analyst  requires  only  the  appropriate  sensors  and  mindset  (cognitive 
hypotheses)  to  detect  and  understand  the  meaning  of  these  clues. 

(Whaley-Busby  p.  191).  ”* 

*From  tutorial,  Integrating  Methods  and  Tools  to  Counter  Denial  and  Deception,  Ed  Waltz,  International  Conference 
on  Intelligence  Analysis,  2  May  2005,  courtesy  Frank  Stech,  MITRE,  used  with  permission. 


»The  trick  is  how  to  find  the  clues. 


•  Basic  tool  is  the  template 

•  Evidence  from  the  study  of  decision  making  indicates  that,  in  situations  with 
incomplete  data  and  under  time  pressures,  a  high  proportion  (perhaps  96%*)  of 
decisions  are  based  on  recognizing  and  applying  patterns 

>Leamed  patterns  are  used  to  diagnose  or  recognize  situations 
>Learned  patterns  are  used  to  implement  solutions 

>  These  patterns  are  doctrine,  tactics,  and  at  the  lowest  level,  SOP  and  battle 
drill 

>Some  leaders  will  ignore  or  discard  learned  patterns  and  either  blunder  or 
innovate — the  dummy  or  genius  factor 


*  from  Gary  Klein,  Sources  of  Power,  The  MIT  Press,  1998,  referenced  at  http://www.cs.mu.oz.au/~ejn/pubs/NorlingHeinze-CogSciOO.pdf 
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What  is  a  template? 


A  template  is  a  pattern  of  activity  or  things 

It  can  be  compared  to  the  elements  of  the  situational  awareness  picture  at  all 
levels 

A  template  can  be  derived  from  enemy  doctrine  either  published  or  deduced 

It  can  be  applied  piecewise  to  each  datum  in  the  SA  picture  at  that  level 

The  degree  of  “fit”  of  the  template  to  the  data  can  be  estimated  several  ways 

Template  evaluation  must  provide  a  warning  in  the  case  of  “too  much”  as 
well  as  “too  little” 
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From  FM  100-2-1,  The  Soviet  Army,  Operations  and  Tactics,  16  July  1984. 
Although  the  Soviet  Union  is  no  more,  a  lot  of  people  were  trained  in  this 
way  of  waging  war.  In  any  case,  the  material  is  illustrative  if  not  definitive. 


Really  really  elementary  example  of  use  of  a  template 


Consider  a  sensing  of  a  vehicle  identified  as  an  armored 
vehicle. 

The  sensing  is  accompanied  by  a  constellation  of  other 
sensings.  The  sensing  datum  under  consideration  is 
examined  to  see  if  the  other  sensings  correspond  to  the 
old-style  Soviet  geometric  formations:  is  there  another 
armored  vehicle  within  100  meters?  400  meters?  Is  it  a 
tank?  An  APC  or  IFV?  MTLB?  Etc.,  etc. 

If  so,  is  there  a  command  vehicle  within  500  meters?  A 
logistic  vehicle  within  1000  meters?  Are  the  terrain  and 
met  conditions  favorable  for  detection  if  the  required 
vehicles  were  indeed  there,  if  not  sensed? 

Is  the  same  sensed  set  of  vehicles  present  in  sensings  a 
day  earlier?  Two  days?  Three? 

Does  the  sensing  permit  recognition  of  tracks?  If  so,  are 
there  any? 

Does  the  ELINT  data  base  include  sensings  of  the  proper 
type,  say  R123  radios?  And  so  on. 
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(fromp.  5-11,  FM  100-2-1,  The  Soviet  Army,  Operations  and  Tactics ,  16  July  1984) 
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Templating 


Sees, 

gets 


misses 


Sees, 
gets  right 


□ 

| 
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Congruent  entry 
No  congruence 
Wrong  indicator 


Template  1 


Template  2 


Template  3 


Deceptive  I  Deceptive  Deceptive 

Element  I  Element  Element 

1  I  2  ■  n 


hidden 


misses 


hidden 


Sees,  anyway  Sees, 


Sees, 


Sees, 


gets  right  gets  right  gets  right  gets 


Sees  something 
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Simple  low  level  tactical  template 


Datum  XI:  Visual  signature  tank  1— data  element  being  parsed 
Evidence  datum  X2:  Visual  signature  tank  2 
Evidence  datum  X3:  Visual  signature  tank  3 

Evidence  datum  X4:  Visual  signature  tank  4  *«» 

Evidence  datum  X5:  Acoustic  signature — idling  tank  engine  sound 
Evidence  datum  X6:  Acoustic  signature — moving  tank 

Evidence  datum  X7:  Chemical  signature — exhaust  1 

Evidence  datum  X8:  Thermal  hot  spot  ^ 

Evidence  datum  X9:  Radar  return — conventional  centimetric  wavelength 
Evidence  datum  X10:  Millimeter  w'ave  radar  #** 

Evidence  datum  XI 1:  Lidar  signature 
Evidence  datum  X12:  Tracks  on  ground 

Evidence  datum  XI 3:  Communications  signature  _ 

Evidence  datum  X 14:  Presence  of  controlling  headquarters  element  ■“  **“  •" . Z' 

Evidence  datum  X15:  Presence  of  accompanying  units  such  as  other  tank  or  mechanized  infantry  platoons 
Evidence  datum  X16:  Terrain  factors — is  it  suitable  for  vehicles?  Tracked  vehicles?  Wheeled? 
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Simple  low  level  deception  template 


Visual  signature  tank  1 — data  element  being  parsed 

Visual  signature  tank  2 

Visual  signature  tank  3 

Visual  signature  tank  4 

Acoustic  signature — idling 

. etc. 

Tracks  on  ground 
Communications 
Presence  of  cmd.  Element 
Presence  of  accompanying  units 
Terrain  factors — US  access? 

Enemy  element  in  overwatch  position? 

Enemy  artillery  in  range? 

Commanding  ground  nearby? 

Increasing  terrain  restriction? 

Easy  enemy  retreat  path? 

Disturbed  earth  along  path? 

. etc. 
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How  to  estimate  congruence  or  divergence:  metrics 


•  Problem  is  how  to  reduce  these  elements  to  some  numerical  value  or  metric 

•  Several  possibilities 

>  Add  up  the  yeses/noes 

>  Weight  the  elements  and  add,  normalize,  etc.:  (Grey  System  Theory  or 
normal  ORSA  stuff,  take  your  pick) 

>  Phase  space  vector  manipulation 

>  Bayesian  Belief  Network  (BBN) 
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Simple  pseudo-binary  approach 


Visual  signature  tank  1 
Visual  signature  tank  2 
Visual  signature  tank  3 
Visual  signature  tank  4 
Acoustic — idling 
Acoustic — moving 
Chemical  signature — exhaust 
Thermal 

Radar — conv.  cm  wavelength 
Millimeter  wave  radar 
Lidar 

Tracks  on  ground 
Communications 
Presence  of  cmd.  Element 
Presence  of  accompanying  units 
Terrain  factors — is  it  suitable? 
Total 


data  element  being  parsed 
not  detected 

detected  80  meters  away 
not  detected 
detected  by  array 
not  sensed 

not  sensed,  no  means  to  do  so 

checked,  not  present 

not  checked 

not  checked 

not  checked 

UAV  checked,  not  found,  ground  suitable 
no  ELINT 

not  sensed,  open  ground 
not  sensed,  open  ground 
No 


+1 

0 

+1 

0 

+1 

0 

0 

-1 

0 

0 

0 

-1 

0 

-1 

-1 

-1 


Just  add  up  the  yesses 
(+ls)  and  contradictions 
or  noes  (-Is  or  Os), 
normalize  to  number  of 
elements  (16  in  this  case) 


-2/16:  probably  not 


8/12/2005 


15 


Simple  low  level  deception  template 


Visual  signature  tank  1 

data  element  being  parsed 

+1 

Visual  signature  tank  2 

not  detected 

0 

Visual  signature  tank  3 

detected  80  meters  away 

+1 

Visual  signature  tank  4 

not  detected 

0 

Acoustic  signature — idling 
. etc. 

Tracks  on  ground 

yes,  detected  by  array 

+1 

UAV  checked,  tracks  found,  ground  suitable 

+1 

Communications 

recent  xmissions  at  position 

+1 

Presence  of  cmd.  Element 

not  sensed,  open  ground 

-1 

Presence  of  accompanying  units 

not  sensed,  open  ground 

-1 

Terrain  factors — US  access? 

yes 

+1 

Enemy  element  in  overwatch  position? 

Not  sensed,  cover  at  positions 

0 

Enemy  artillery  in  range? 

Yes 

+1 

Commanding  ground  nearby? 

Yes 

+1 

Increasing  terrain  restriction? 

Yes 

+1 

Easy  enemy  retreat  path? 

Yes 

+1 

Disturbed  earth  along  path? 

Not  sensed 

0 

,etc. 
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Linear  deviation  metric 

•  Consider  the  sum  of  the  values  resulting  from  correspondences  of  the  elements  of  a 
template  and  the  elements  in  a  data  base,  weighted  by  their  judged  importance. 

•  Initially  the  value  of  correspondence  of  the  z'th  element  may  be  binary:  0  or  1 . 

•  A  refinement  might  be  to  include  an  estimate  of  the  probability  of  the  element  in  the 
data  base  being  a  true  sensing,  so  that  the  values  might  range  from  0  to  1,  inclusive. 

•  Normalization  allows  comparison  between  templates,  which  might  well  have  different 
numbers  of  potentially  evidentiary  data  elements 

•  In  this  case  the  deviation  metric  might  be 


F {template  TRUE )  =  Congruence  -  y^T ^  ( weight ) *(truth )/ 

i 

Deviation  =  1  -  Congmence 
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Phase  space  deviation  metric 


•  The  description  of  battle  has  been  considered  as  a  vector  in  an  n-dimensional  phase 
space. 

•  This  leads  to  the  possibility  of  a  template  being  considered  a  vector  in  that  phase  space. 

•  There  are  several  possible  deviation  vector  measures. 

•  One  is  the  dot-product  of  the  phase  space  data  elements  and  the  template. 

•  In  this  case  if  the  template  fit  the  situational  data  each  element  of  the  template  would  be 
accompanied  by  a  datum  corresponding  to  it  in  the  data  base.  In  a  first  approximation 
the  elements  of  the  presumed  detection  either  correspond  to  the  template  or  they  do  not; 
that  is,  the  confidence  in  the  sensings  or  the  trafficability  data  or  accuracy  of  the 
acoustic  signature  in  the  situational  awareness  data  base  is  presumed  to  be  zero  or  unity. 


Congruence  =  yAT  ^  ( weight  of  template  element) t  {template  element) t 


( corresponding  database  element^ 

(max  value  of  corresponding  database  element)? 


Deviation  =  1  -  Congruence 
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Bayesian  Belief  Network  (BBN) 

•  Probability  calculation  of  causes  based  on  observed  effects 

•  Cause  Target  of  interest,  unknown  event,  etc. 

•  Effects  Trafficability  Data,  Acoustic  Signatures,  etc. 

•  Probabilities  established  based  on  prior  information 
(templates) 

•  Bayes’  Theorem  for  n  basic  events,  A1?  A2,  ...An: 


P(Aj  |  B)  = 


_ PCA^PCBIA,) _ 

PCAJPCB  |  Aj)  +  P(A2)P(B  |  A2)  H - h  P(An)P(B  |  AJ 
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Example  BBN  in  Netica 


jnjx| 


.=10]  XI 


|/C'Paccept_deception_hypothesis  Table  (in  net  deception_taxonomy_l) 
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False 

False 
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90.000 
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True 

True 

90.000 

10.000 

False 

True 

True 

False 

50.000 

50.000 

False 

True 

False 

True 

50.000 

50.000 

False 

True 

False 

False 

10.000 

90.000 

False 

False 

True 

True 

50.000 

50.000 

False 

False 

True 

False 

10.000 

90.000 

False 

False 

False 
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10.000 

90.000 

False 

False 

False 

False 

1.000 

99.000 

±i 

Jj 

sensible  datum  1 


Pdet  deceptive  datum  1 

True  98.8 

False  1.22 

1  1 1 

Pconceal  datum  1 

True  4.82 
:alse  95.2 

|  :  : 

Pdet  datum  1 

True  52.4 
False  47.6 

sensible  datum  2 

False  0 

P  conceal  datum  2 

True  1.04 
False  99.0 

i  I j 

Pdet  datum  2 

True  62.8 
False  37.2 

1 1 1 

sensible  d 

atom  3 

False  0 

r 

P  conceal  datum  3 

True  9.09 
False  90.9 

i  i  i 

r 

Pdet  datum  3 

True  83.3 
False  16.7 

P  accept  deceptive  hypot... 
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Incongruity  detection  process 


Object  layer  Objects  inserted  into  OneSAF  Test  Bed  (OTB) 


Concealment  layer  Adjust  Pdets  in  OTB 


Sensing  layer  OTB  produces  Pdets 


Evaluation  layer  Templates  in  BBN 


8/12/2005 


22 


Interesting  possibilities 


Deceptive  activities  and  their  templates  are  associated  with  a  characteristic 
scale  or  coherence  length  in  space  and  time 

An  agent  based  approach  may  be  able  to  access  data  appropriate  to  all  these 
scales 

Sparseness  of  data  in  local  SA  data  base  introduces  graininess  and  hence 
variation  that  may  mask  patterns  at  lower  scales 

Access  to  multiple  scales  may  compensate  for  this  to  some  degree 

Insertion  of  deception  or  systematic  error  as  an  explicit  layer  may  allow 
training  the  network  by  splitting  of  data  set 


Problems  to  solve 


Stech  points  out  that  you  have  to  work  on  at  least  three  levels — obvious,  cross, 
double  cross  (paraphrase) 

Templates  must  accommodate  this — hard  to  do,  templates  become  very 
involved 


Templates  of  deception  must  be  included — dependent  on  culture,  enemy 
doctrine,  military  history 


Templates  must  change  with  time,  circumstance — this  can  be  accommodated 
by  adding  new  templates 


Enemy  deception  doctrine  is  key 


A  note  on  RAID 


The  Defense  Advanced  Research  Agency  (DARPA)  is  presently  developing  the  Real  Time 
Adversarial  Intelligence  and  Decision  Making  (RAID)  tool.* 

•  RAID  will  take  three  years  from  contract  award  to  bear  fruit. 

•  The  RAID  deception  module  is  defensive  only. 

•  RAID  is  ambitious  and  hence  high  risk. 


•  The  deception  module  will  likely  be  dependent  on  the  rest  of  the  tool,  especially  the 
Adversarial  Reasoning  Model.  If  any  of  the  whole  does  not  work  it  risks  usability  of 
any  component. 


•  RAID  as  envisaged  in  its  initial  phase  will  be  a  tactical  level  tool  only. 


*  See  http://dtsn.darpa.mil/ixo/solicitations/raid/index.htm,  accessed  3  January  2005. 


8/12/2005 


25 


Summary 


The  opportunity  exists  to  develop  a  data  base  tool  that  may  have  substantial 
benefits  in  lower  level  operations,  including  cuing  of  possible  deception 

This  tool  will  take  a  bottom-up  approach  to  the  analysis 


The  next  step  is  to: 

>  Choose  or  devise  a  simplified  surrogate  data  base, 

>  Devise  a  set  of  templates, 

>  Devise  and  test  several  metrics  for  determining  fit  of  the  metrics  to  the 
data, 

>  Estimate  the  utility  of  measures  of  the  fit  to  improve  both  the 
commander’s  and  battle  staffs  interpretation  of  the  situation. 


Backups 
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MOTORIZED  RIFLE  COMPANY  (BTR).  WITH  ATTACHED  TANK  PLATOON 
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A  Detailed  Example:  Tank  Battalion  Command  and  Control,  continued  ■  — — — 

RADIO  NETS,  REINFORCED  TANK  BATTALION  (VARIANT) 


Shown  here  is  a  radio  net  diagram  of  a  tank  battalion  to  which  an  entire  artillery  supported  by  an  entire  artillery  battalion  if  it  were  fighting  in  the  first  echelon,  or  if  it 

battalion  is  attached  for  support.  A  tank  battalion  normally  would  be  directly  were  operating  separately  from  its  parent  regiment,  as  it  might  in  a  pursuit. 
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Methods:  Harris  Inference  from  Ambiguities 


Process 

Description 

Modes 

Reconstructive 

Inference 

.Detect  the  presence  of  spurious  signals 
(sprignals)  that  are  indicators  of  D&D 
.  Apply  templates  predicted  by  conjectured  pre¬ 
existing  D&D  hypotheses: 

.Strong  evidence  confirming  hypothesis  A 
(the  simulation), 

.Weak  contradictory  evidence  of  hypothesis 

C  (leakage  from  the  adversary’s 
dissimulation  effort), 

.Missing  evidence  that  should  be  present  if 
hypothesis  A  were  true. 

Deduction 

Incongruity 

Testing 

And 

Inference 

.  Search  for  inconsistencies  in  the  data 
(changes,  anomalies,  contradictions) 

.  Synthesize  (conjecture)  alternative 
explanations  that  attribute  the  incongruities  to  D&D 
(i.e.  D&D  explains  the  incongruity  of evidence  for 
more  than  one  reality  in  simultaneous  existence) 

.  Induce  generalizations  (as  appropriate,  when 
tested  and  confirmed). 

Deduction, 

then, 

Abduction, 

then, 

Induction 
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Methods  :Whaley-Busbv  Incongruities 


“The  possibility  of  detecting 
deception,  is  inherent  in  the 
effort  to  deceive.  Every 
deception  operation  necessarily 
leaves  at  least  two  clues: 

incongruities  about  what 
is  hidden;  and 
incongruities  about  what 
is  displayed  in  it’s 
stead. 

The  analyst  requires  only  the 
appropriate  sensors  and  mind¬ 
set  (cognitive  hypotheses)  to 
detect  and  understand  the 
meaning  of  these  clues.” 
(Whaley-Busby  p.  191). 


Incongruities  about 
Why  that?  there? 
now?  only  that? 
What  is  missing? 


Sprignals  and  leaks 
-  incongruous  with 
everything  else 
revealed 


•  al  I  mited  true, 
but  limit  exposure 

•  Create  false 
mpressoo  by 
structure  of  truth 
revealed 


•  Employ  phys  cal  and 
operaticna  security  to 
prevent  exposure  c f  the 
simuations  and 
misdTection 


Incongruities  about 
displayed  - 
imperfections  and 
incompleteness 


Incongruities  about 
what  is  protected 
and  what  should  be 
protected 
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Example 

1%  of  a  country’s  inhabitants  are  infected  with  a  disease: 

-  Let  Aj  =  infected  population  P(A,)  =  0.01 

-  Let  A2  =  uninfected  population  P(A2)  =  0.99 
An  imperfect  diagnostic  test  has  been  developed: 

-  Let  B  =  a  test  confirming  infection  ->  P(B|A[)  =  0.97 
and  P(B|A2)  =  0.05 


P(A1|B) 

P(A1|B) 

P(A1|B) 


PlA.jPCBIA,) 

P(A[)P(B  |  Aj)  +  P(A2)P(B  |  A2) 
(0.01)(0.97) 

(0.01)(0.97)  +  (0.99)(0.05) 
0.16 
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Bayesian  Belief  Network  (BBN) 


P(x)  =  ZP(x\  y\,y2,...yn)P{y\)P{y2)...P{yn) 


(Adapted  from  http://ai.stanford.edu/~koller/BNtut/sld061.htm,  accessed  3  June  2005) 
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